top of page

Vietnamese Cybercriminals Leveraging Facebook Ads to Distribute Malware

Cybersecurity threats continue to evolve, expanding their tactics and targets, as a growing Vietnamese cybercrime system capitalizes on the outreach potential of social media platforms to distribute malware. Typically, cybercriminals have been known to exploit fraudulent ads as a means of victimizing users through various scams and malvertising tactics. With an increasing number of businesses now engaging social media platforms for promotional efforts, threat actors are seizing the opportunity to launch cyberattacks through manipulated business accounts.

Cyber threats targeting Meta (formerly Facebook) and its business accounts have surged in the past year. This trend can largely be attributed to threat groups such as Ducktail and NodeStealer, notorious for their attacks on businesses and individuals active on the Facebook platform. These intruders make extensive use of social engineering techniques to obtain unauthorized access to user accounts. Their strategies are widespread, spanning multiple platforms that range from Facebook and LinkedIn to WhatsApp and job marketplace websites like Upwork.

One recurrent feature shared among these threat groups involves the misuse of URL shortening services and authentic cloud services such as Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire. These serve as hosts for the malicious payloads introduced by the attackers.

Efforts by threat actors such as Ducktail involve luring victims with marketing-related projects in order to infiltrate businesses relying on Meta's business platform. Recent attack waves have also adopted job and recruitment-themed baits to initiate infections. Potential targets are directed to fictitious job postings hosted on websites like Upwork and Freelancer. These postings often contain a camouflaged link to a rigged job description file hosted on a cloud storage provider. The culmination of this deceptive process implants the Ducktail-stealer malware within the target.

Developments in this cyber threat landscape continue to illustrate the ever-evolving tactics of these attackers. These include updating malware to extract a victim's personal details from platforms such as X (formerly Twitter), TikTok Business, and Google Ads. Additionally, hackers are now capable of exploiting stolen Facebook cookie sessions to produce fraudulent advertisements automatically. Furthermore, they can acquire additional permissions to perform other actions within the victim's compromised account.

The ramifications of these cyberattacks extend beyond just the initial victims. The malicious products of these operations, such as breached social media accounts, fuel an underground economy where stolen accounts can be bought and sold. The pricing of these accounts is typically dependent on their perceived utility for illicit activities.

Moreover, these activities also cast light upon coordinated collaboration or shared tactics among various threat actors within the Vietnamese cybercriminal ecosystem. This observation is underscored by a Ducktail mimicking threat group called Duckport, which has been active since late March 2023. Duckport not only mirrors Ducktail's information-stealing tactics but also performs a simultaneous Meta Business account hijacking.

Despite their shared tactics, Duckport and Ducktail exhibit some distinct differences. For instance, Duckport does not simply provide direct download links to file hosting services, which might raise suspicions. Instead, it redirects victims to branded sites related to the impersonated company, ultimately leading them to download the malicious file from a hosting service.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page